Re: Marketscore and Higher Ed

[Mark Poepping <poepping () CMU EDU>]

Following on to the Marketscore thread from the last couple of months, the
Internet2 SALSA Advisory group has prepared the following commentary that
we hope helps to inform the topic as we continue to discuss the issues...

---

There are many plug-ins, systems, and services that insert the ability to
analyze, record, or modify data between clients and servers.  Many of
these are intentionally malicious in nature (e.g. spyware), but others are
created by legitimate organizations for stated business purposes.
Examples in this latter category include:

 * Anonymizer - A service that offers malware protection and web surfing
anonymity.
 * Marketscore - A service that promises faster web page download and
virus protection in exchange for authority to gather market research data.

While we may argue about specific intent or technique, the consensual
nature of these applications generally excludes them from our classifying
them as 'spyware'.  However, the use of these applications may expose
health, financial, or other protected or personal information to third
parties in violation of the security policy of a campus, user, or other
external service.  Institutions that wish to reduce the likelihood of
these types of violations should consider some or all of the following
techniques as they assess their own risk-mitigation
efforts:

* Host-based Detection - All users should use software that provides
vigilance for disclosure of data to third parties, particularly if it's
outside the scope of consensual services.  Detecting and preventing these
applications is often beyond the scope of traditional anti-virus packages
and may require installation of additional software.

* Stateless Network-based Remediation - Redirecting DNS queries, or
blocking packets at the firewall based on IP address or TCP/UDP port
numbers believed associated with these services may offer immediate relief
for large user populations, but may also block legitimate resources or
require continual parameter adjustments as the provider adapts.

* Stateful Network-based Remediation - Stateful firewalling, and
signature-based Intrusion Detection and Prevention Systems can also
quickly protect large numbers of clients with fewer side effects, but may
not scale to very high speeds and many will be ineffective if the traffic
is encrypted.

* Education and Policy - Campus computer users must be informed about the
implications of using these third party services, preferably incorporated
into the security training materials provided by groups like EDUCAUSE.
Institutions must also consider policies that restrict access to networked
campus resources and/or impose higher costs on persons who opt in to these
types of services.

Our concern remains high that this class of product may violate user,
campus, or third party security policies.  We encourage an open dialogue
between vendors and academic representatives - possibly within the
Security Task Force to address these issues in an effort to continue to
promote good privacy and security practices.

Finally, looking ahead, we would like to consider other approaches that
might help us to address these issues, for example:
        - more granular plug-in capabilities or better sandbox control
        - local feedback on traffic activity
        - better services for policy definition, assessment, and
enforcement We are certainly interested to learn more about and discuss
possibilities in these (or other) areas, and will work to facilitate some
discussion in these directions.

Mark Poepping for SALSA
http://security.internet2.edu/salsa

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.